Comment by wrs
2 months ago
The pnpm version of this is persistent. You approve the package once, and regular install works thereafter. Which is nice.
2 months ago
The pnpm version of this is persistent. You approve the package once, and regular install works thereafter. Which is nice.
is that permission tied to a specific version with a specific fingerprint/hash? because if it's not then you could still get a surprise come the next update...
It is by package name, but at least you won't be surprised when left-pad suddenly has an install script.
You can put a fingerprint on the package dependency itself, though, so if you add a fingerprint to anything you approve the install script for, you will get that level of safety.